Last updated: 15 April 2026
This GDPR Notice explains how AML Watchtower (“we”, “our”, “us”) processes personal data when providing Anti-Money Laundering (AML) outsourcing services.
1. Roles Under GDPR
Depending on the engagement, AML Watchtower acts as:
- Data Processor – when processing personal data on behalf of our clients
- Data Controller – only in limited cases, such as website enquiries and business communications
In the context of AML outsourcing services, we primarily act as a Data Processor.
2. Nature of Processing
We process personal data strictly on behalf of our clients to support their AML/CFT obligations, including:
- Know Your Customer (KYC), Customer Due Diligence (CDD), and Enhanced Due Diligence (EDD)
- Customer onboarding and verification
- Beneficial ownership (UBO) identification
- Sanctions and Politically Exposed Persons (PEP) screening
- Transaction monitoring and alert investigations
- Suspicious Activity / Transaction Report (SAR/STR) preparation
- Ongoing Due Diligence (ODD / EODD) and periodic reviews
3. Categories of Personal Data
Depending on the service scope, we may process categories of personal data such as:
- Identification data, such as name, date of birth, and ID details
- Contact information
- Financial and transactional data
- Risk assessment data
- Beneficial ownership information
- Screening results, including sanctions, PEP, and adverse media results
- Source of funds or source of wealth information
4. Purpose of Processing
We process personal data solely to:
- Deliver AML outsourcing services
- Support clients in complying with AML/CFT regulations
- Detect and prevent financial crime
- Maintain audit trails and compliance records
We do not use personal data for our own independent purposes.
5. Legal Basis
The legal basis for processing is determined by our client, acting as the Data Controller. This usually includes:
- Legal obligation, including AML/CFT compliance requirements
- Legitimate interests, such as fraud prevention and risk management
6. Data Processing Principles
We adhere to GDPR principles, including:
- Processing data lawfully, fairly, and transparently
- Limiting processing to specified purposes
- Minimising the data processed
- Ensuring data accuracy where applicable
- Retaining data only as long as necessary
- Ensuring appropriate security and confidentiality
7. Data Security
We implement appropriate technical and organisational measures, including:
- Role-based access controls
- Secure environments and systems
- Confidentiality obligations
- Controlled data access and handling procedures
8. Sub-processors
We may engage trusted third-party service providers (sub-processors), including:
- IT and cloud infrastructure providers
- AML screening and verification solution providers
All sub-processors are subject to appropriate contractual and data protection safeguards.
9. International Transfers
Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards, such as Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms where required.
10. Data Retention
We process and retain personal data in accordance with:
- Client instructions
- Applicable legal and regulatory requirements
Retention periods are typically aligned with AML obligations, commonly ranging from 5 to 10 years, unless otherwise specified by law or contract.
11. Data Subject Rights
Data subjects may exercise their rights by contacting the relevant Data Controller, which is typically our client.
Where requests are received directly by us, we will:
- Forward the request to the relevant Data Controller
- Assist the Controller in responding where required under applicable law or contract
12. Data Breaches
In the event of a personal data breach, we will:
- Notify the Data Controller without undue delay
- Provide relevant information to support regulatory reporting
- Cooperate in mitigation and remediation actions
13. Contact
If you have any questions about this GDPR Notice, please contact:
AML Watchtower, MB
J. Lebedžio str. 1, Vilnius, Lithuania
Email: contact@amlwatchtower.eu
Phone: +370 644 66615